AI-powered workflow automation and AI Agents for AppSec, Fuzzing & Offensive Security
Overview β’ Features β’ Installation β’ Quickstart β’ AI Demo β’ Contributing β’ Roadmap
--- ## π Overview **FuzzForge** helps security researchers and engineers automate **application security** and **offensive security** workflows with the power of AI and fuzzing frameworks. - Orchestrate static & dynamic analysis - Automate vulnerability research - Scale AppSec testing with AI agents - Build, share & reuse workflows across teams FuzzForge is **open source**, built to empower security teams, researchers, and the community. > π§ FuzzForge is under active development. Expect breaking changes. > > **Note:** Fuzzing workflows (`atheris_fuzzing`, `cargo_fuzzing`, `ossfuzz_campaign`) are in early development. OSS-Fuzz integration is under heavy active development. For stable workflows, use: `security_assessment`, `gitleaks_detection`, `trufflehog_detection`, or `llm_secret_detection`. --- ## Demo - Manual Workflow Setup  _Setting up and running security workflows through the interface_ π More installation options in the [Documentation](https://docs.fuzzforge.ai). --- ## β¨ Key Features - π€ **AI Agents for Security** β Specialized agents for AppSec, reversing, and fuzzing - π **Workflow Automation** β Define & execute AppSec workflows as code - π **Vulnerability Research at Scale** β Rediscover 1-days & find 0-days with automation - π **Fuzzer Integration** β Atheris (Python), cargo-fuzz (Rust), OSS-Fuzz campaigns - π **Community Marketplace** β Share workflows, corpora, PoCs, and modules - π **Enterprise Ready** β Team/Corp cloud tiers for scaling offensive security --- ## β Support the Project
If you find FuzzForge useful, please star the repo to support development π
---
## π Secret Detection Benchmarks
FuzzForge includes three secret detection workflows benchmarked on a controlled dataset of **32 documented secrets** (12 Easy, 10 Medium, 10 Hard):
| Tool | Recall | Secrets Found | Speed |
|------|--------|---------------|-------|
| **LLM (gpt-5-mini)** | **84.4%** | 41 | 618s |
| **LLM (gpt-4o-mini)** | 56.2% | 30 | 297s |
| **Gitleaks** | 37.5% | 12 | 5s |
| **TruffleHog** | 0.0% | 1 | 5s |
π [Full benchmark results and analysis](backend/benchmarks/by_category/secret_detection/results/comparison_report.md)
The LLM-based detector excels at finding obfuscated and hidden secrets through semantic analysis, while pattern-based tools (Gitleaks) offer speed for standard secret formats.
---
## π¦ Installation
### Requirements
**Python 3.11+**
Python 3.11 or higher is required.
**uv Package Manager**
```bash
curl -LsSf https://astral.sh/uv/install.sh | sh
```
**Docker**
For containerized workflows, see the [Docker Installation Guide](https://docs.docker.com/get-docker/).
#### Configure AI Agent API Keys (Optional)
For AI-powered workflows, configure your LLM API keys:
```bash
cp volumes/env/.env.example volumes/env/.env
# Edit volumes/env/.env and add your API keys (OpenAI, Anthropic, Google, etc.)
```
This is required for:
- `llm_secret_detection` workflow
- AI agent features (`ff ai agent`)
Basic security workflows (gitleaks, trufflehog, security_assessment) work without this configuration.
### CLI Installation
After installing the requirements, install the FuzzForge CLI:
```bash
# Clone the repository
git clone https://github.com/fuzzinglabs/fuzzforge_ai.git
cd fuzzforge_ai
# Install CLI with uv (from the root directory)
uv tool install --python python3.12 .
```
---
## β‘ Quickstart
Run your first workflow with **Temporal orchestration** and **automatic file upload**:
```bash
# 1. Clone the repo
git clone https://github.com/fuzzinglabs/fuzzforge_ai.git
cd fuzzforge_ai
# 2. Copy the default LLM env config
cp volumes/env/.env.example volumes/env/.env
# 3. Start FuzzForge with Temporal
docker compose up -d
```
> The first launch can take 2-3 minutes for services to initialize β
```bash
# 3. Run your first workflow (files are automatically uploaded)
cd test_projects/vulnerable_app/
fuzzforge init # Initialize FuzzForge project
ff workflow run security_assessment . # Start workflow - CLI uploads files automatically!
# The CLI will:
# - Detect the local directory
# - Create a compressed tarball
# - Upload to backend (via MinIO)
# - Start the workflow on vertical worker
```
**What's running:**
- **Temporal**: Workflow orchestration (UI at http://localhost:8233)
- **MinIO**: File storage for targets (Console at http://localhost:9001)
- **Vertical Workers**: Pre-built workers with security toolchains
- **Backend API**: FuzzForge REST API (http://localhost:8000)
## AI-Powered Workflow Execution
_AI agents automatically analyzing code and providing security insights_
## π Resources
- π [Website](https://fuzzforge.ai)
- π [Documentation](https://docs.fuzzforge.ai)
- π¬ [Community Discord](https://discord.gg/8XEX33UUwZ)
- π [FuzzingLabs Academy](https://academy.fuzzinglabs.com/?coupon=GITHUB_FUZZFORGE)
---
## π€ Contributing
We welcome contributions from the community!
There are many ways to help:
- Report bugs by opening an [issue](../../issues)
- Suggest new features or improvements
- Submit pull requests with fixes or enhancements
- Share workflows, corpora, or modules with the community
See our [Contributing Guide](CONTRIBUTING.md) for details.
---
## πΊοΈ Roadmap
Planned features and improvements:
- π¦ Public workflow & module marketplace
- π€ New specialized AI agents (Rust, Go, Android, Automotive)
- π Expanded fuzzer integrations (LibFuzzer, Jazzer, more network fuzzers)
- βοΈ Multi-tenant SaaS platform with team collaboration
- π Advanced reporting & analytics
π Follow updates in the [GitHub issues](../../issues) and [Discord](https://discord.gg/8XEX33UUwZ)
---
## π License
FuzzForge is released under the **Business Source License (BSL) 1.1**, with an automatic fallback to **Apache 2.0** after 4 years.
See [LICENSE](LICENSE) and [LICENSE-APACHE](LICENSE-APACHE) for details.